[PATCH] WPS: fix nonce comparisons

Jouni Malinen j at w1.fi
Tue Aug 14 12:19:46 EDT 2012

On Tue, Aug 14, 2012 at 08:48:11AM +0300, Baruch Siach wrote:
> On Mon, Aug 13, 2012 at 04:26:13AM +0300, Eyal Shapira wrote:
> > Multiple memcmps of nonces were actually comparing
> > only the first byte instead of all 16 bytes.
> Looks like a serious security bug.

Not really. Obviously, it is not good to have that type of memcmp
issues, but the particular ones here were mainly copy-pasted sanity
checks that are of limited significance.

> Do you know what the security implications of this bug are? What versions of 
> hostap are affected? What configurations? Is it WPS specific?

This is specific to WPS and the incorrect code was there from the
initial implementation. So far, I have not found any real security
implication from this.

The main authentication of WPS messages uses a separate mechanism and it
was not affected. In addition, the nonces were validated in correct way
in another function for the M2-M8 messages (i.e., throughout the main
WPS protocol run) and the nonces do not have significant importance for
the couple of messages (ACK,NACK,DONE) were there was no duplicated
validation code.

As far as WPS Enrollee behavior is concerned, the validation of Enrollee
nonce in the beginning of wps_process_wsc_msg() was done also in
wps_process_m{2,4,6,8}(), so for those cases, this was a duplicated
check and there was no practical difference in behavior.
wps_process_m2d() does not have this check, but it won't allow the
protocol to continue anyway, so I don't see any real issue with this
either. Similarly, wps_process_wsc_nack() terminates the protocol, so a
wrong nonce there is of limited significance. wps_process_wsc_ack() can
be on a success path, but nonces don't really play much in that message

Similarly for WPS Registrar, the validation of Registrar nonce in
wps_process_wsc_msg() was also done in wps_process_m{3,5,7}(), so there
was no difference in behavior. wps_process_wsc_{ack,nack,done}() cases
are similar to ack/nack in Enrollee.

Jouni Malinen                                            PGP id EFC895FA

More information about the HostAP mailing list